New Free Windows System Tool Called Sysmon from Sysinternals

It isn’t often that we get a brand-new addition to the famous suite of free system tools provided at Windows Sysinternals and when we do it’s worth noting. Mark Russinovich has just announced a tool called Sysmon. The description and download link are at this page.

Sysmon is a command-line tool for experienced Windows users and adds some interesting new system monitoring and logging capabilities. The download is a 465 KB zipped file containing an executable and a EULA. The command-line executable can be placed anywhere but it is most convenient to put it in a folder that is in the path. It is then installed to run by the command: sysmon –I.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.

This major update to Sysmon, a service that records process activity to the Windows event log for use by incident detection and forensic analysis, includes driver load and image load events with signature information, configurable hashing algorithm reporting, flexible filters for including and excluding events, and support for supplying configuration via a configuration file instead of the command line.

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.